Understanding Microsoft's Secure Remote Access Offerings
Remote access is a hot topic. It is hot because it should be hot. There are a lot of drivers for remote access, but the overarching issue is that people need access to information from anywhere, at anytime, from any device. The outdated vision of access based on specific device or location is gone. Especially in corporate scenarios, people expect to get the business intelligence they need, when they need it, and be able to use a laptop, or desktop, or kiosk, or smartphone, or even an MP3 player to get to that information. IT has to be an enabler.
Microsoft is inline with this vision of anywhere, anytime access, and has a number of technologies you can use to enable secure remote access. Notice that I've injected the term "secure". Enabling remote access isn't technically complex. Any simple NAT device or router can enable remote access to business applications and services. The trick is to enable secure remote access so that you do not put your data, your servers and perhaps your job at risk.
From my count, here are the key Microsoft technologies available to you today that enable secure remote access into your organization:
- Windows Server 2008 NPS Routing and Remote Access VPN services
- Windows Server 2008 Terminal Services Gateway
- Microsoft ISA 2006 and Forefront Threat Management Gateway (TMG)
- Intelligent Application Gateway 2007 and Unified Access Gateway (UAG)
Windows Server 2008 NPS Remote Access VPN Services
Windows Servers have included a VPN server component since Windows NT. Since Windows NT, you have always had available to you the Point to Point Tunneling Protocol for VPN (PPTP). The problem with PPTP today is that most security experts consider it a deprecated VPN protocol and it should not be used in production networks due to some inherent security weaknesses in the protocol. While there are ways to bolster the level of security for PPTP (such as using two factor authentication for log on), PPTP is generally of interest only for historical purposes.
Windows 2000 Server introduced the L2TP/IPsec VPN protocol. This a major advance for Windows, since the IPsec tunnel that is used to secure the information is created before credentials transfer takes place. L2TP is used to create the virtual network, and IPsec is used to create privacy on that virtual network connection. Another major advantage of L2TP/IPsec is that both user and machine authentication can be accomplished, because of the use of IPsec. Windows 2000 Server also extended the user authentication schemes available by enabling more advanced EAP authentication methods, so that certificates and smartcards could be used for user authentication.
Windows Server 2008 increased your VPN options by adding the Secure Socket Tunneling Protocol (SSTP). SSTP is essentially PPP over SSL. The great advantage of this protocol is that it runs over SSL, and just about any firewall or proxy allows outbound SSL. That's right. SSTP will work when the client is behind either a firewall or a proxy (and even proxy based firewalls, like the ISA or TMG firewall). SSTP is included as part of the Windows Server 2008 NPS Routing and Remote Access Service, and it can leverage all the same user authentication protocols that L2TP/IPsec use. The only downside of SSTP at this time is that you to be very careful with some of the configuration steps and the order in which you perform them, otherwise, management can be very complicated. With that said, SSTP remains a tremendous boom for Windows VPN administrators
Windows Server Terminal Services
Like the Routing and Remote Access VPN solutions available for the last several versions of Windows Server, Windows Server has also included a Terminal Services component. While not included with the RTM version Windows NT, it was available later in the NT product cycle. Terminal Services was then incorporated into the operating system with the release of Windows Server 2000. There were some improvements made to the terminal services offering with Windows Server 2003, but it was not until Windows Server 2008 that we saw major improvements.
In Windows Server 2008, and in the upcoming Windows Server 2008 R2, you have major enhancements to the Terminal Services offerings. Still included is the basic Terminal Server, which allows users to connect to the terminal server using the RDP protocol. That said, I should mention that the RDP protocol has been vastly improved. But it is not just the improvements in the RDP protocol that make the Windows Server 2008 Terminal Services offering so compelling. It's actually a collection of several improvements. These include:
- Terminal Services Web Access
- Terminal Services Gateway
- Terminal Service RemoteApp
While previous versions of Windows Server had a Terminal Services Web Access feature, Windows Server 2008 significantly improves on the experience because it integrates other new features of Windows Server 2008 Terminal Services into the Web site. In addition, access to computers and applications through the Terminal Services Web site can now be controlled using policy based access rules.
Terminal Services Gateway (TSG) enables policy-based Terminal Services access from anywhere in the world. A problem with remote access to Terminal Services in the past was that many firewalls would not allow outbound access to the default RDP port, which is TCP 3389. And of course, since proxies typically handle only HTTP protocols, Terminal Services clients could not reach terminal services over the Internet when the clients were located behind a Web proxy. TSG solves this problem by allowing the Terminal Services client to tunnel RDP inside of RPC, which is then tunneled inside HTTP, and secured by SSL, thus requiring only an outbound SSL connection to be allowed to the TSG. After the client connects to the TSG, policy-based access rules allow you to control which terminal servers or applications the user can connect to.
Did you notice that I said terminal servers or applications? That's right. With the new Windows Server 2008 Terminal Server, you have the option to publish terminal servers and/or applications. Terminal Services RemoteApp allows you to publish, over Terminal Services, applications. So if you wanted your users to have access to Word and PowerPoint, you can publish those applications over the Terminal Services Gateway and users would be presented with the applications only, instead an entire desktop. This is a great boon to security, since it enables the principle of least privilege - giving users access only to what they need, which are the applications, instead of the entire desktop, which is not what they need. And this access is accomplished over the TSG, which enables strong policy-based access to these applications.
Internet Security and Acceleration Server 2006 and the Forefront Threat Management Gateway (TMG)
Now we move away from the platform services included with Windows Server and look at some of the network security applications Microsoft has to offer for secure remote access. Microsoft made its first attempt at a network security device when it introduced its Proxy Server product in the second half of the 1990s. This culminated in their first mature product, which was Proxy Server 2.0. While Proxy Server 2.0 was a fine proxy server, it was not designed to be an edge network security device for enabling secure remote access.
Microsoft took the jab at secure remote access for a network edge security device with the introduction of Microsoft Internet Security and Acceleration Server (ISA) 2000 at the end of the year 2000. This product was a multifunction device, enabling secure outbound access, secure server publishing and secure Web publishing. In addition, ISA 2000 included strong support for remote access VPN users as well as site to site VPN. On top of that, ISA 2000 was designed as an edge network firewall, so that you no longer needed to put a router-based firewall (layer 3 firewall) in front of the ISA 2000 firewall.
However, the ISA 2000 firewall was built on a threat model that was extant in the1990s but is not longer true in the 21st century. That is to say, in the 1990s, the popular threat model was that anything outside the firewall was not trusted, and anything inside the firewall was trusted. Since this is no longer true, the next version of the ISA firewall, the ISA 2004 firewall, was released and was built on a threat model that assumed that no networks could be trusted and that strong stateful packet and application layer inspection needed to be applied to all connections going to and through the ISA firewall.
With ISA 2004, remote access security was significantly improved. For Web publishing (reverse Web proxy), the HTTP Security Filter was introduced to protect against attacks against Web site. A number of application filters were added or improved, to protect against exploits made to SMTP, DNS and other application servers. And most of all, the remote access and site to site VPN server components now enabled you to create strong user/group based access controls and applied the same stateful packet and application layer inspection that was performed on all other connections to or through the ISA firewall.
The ISA 2004 firewall was the first Microsoft firewall that could be said to be an enterprise-ready, edge network firewall, on par with Check Point, ASA and Netscreen.
ISA 2006 was released two years later and included all the remote access security features included with the 2004 ISA firewall. It included several improvements for remote access security such as:
- Support for Kerberos Constrained Delegation (KCD) so that you can publish Web sites that require users to use two-factor, certificate based authentication at the firewall
- Several enhancements to it's forms-based authentication feature, so that users can use a flexible form to authenticate to the firewall before being allowed to the published Web site
- Expanded support for an number of new two-factor authentication methods, such as RADIUS one-time passwords
- LDAP server authentication for published Web sites, so that Active Directory repositories could be used when the firewall was not a domain member
- Web Farm Load Balancing, which enabled ISA 2006 admins to avoid the high cost of external, hardware load balancers and publish farms of Web servers behind the ISA firewall
ISA 2006 can also be configured to enable secure remote access to all of the Windows Server 2008 Terminal Services offerings, allowing for another layer of protection for remote Terminal Services access.
The Forefront Threat Management Gateway (TMG) is the next version of the ISA firewall. TMG includes all of the secure remote access technologies included in previous versions of the firewall, but ups the ante on outbound access security, adding malware protection and a uniquely powerful IDS to the mix. In addition, Web content filtering is enabled out of the box for TMG, something that ISA firewall administrators have been wanting for a long time.
Intelligent Application Gateway 2007 and UAG
The Intelligent Application Gateway 2007 (IAG 2007) is for organizations that look for the highest level of security for remote access connections. In contrast to the ISA or TMG firewall, the IAG 2007 SSL VPN gateway is a single purpose device: a remote access gateway for inbound connections to network services. While the ISA and TMG firewalls can provide the same or superior level of security for inbound connections to network services as any other firewall on the market today, IAG 2007 provides the highest level of security possible for incoming connections to Web and non-Web services.
IAG includes a number of software modules, known as Application Optimizers, which confer a very high level of protection for remote access to Web services. The Application Optimizers enable IAG to perform deep application layer inspection for the Web services it publishes. IAG's deep application layer inspection employs both positive and negative logic filtering. Positive logic filtering enables IAG to allow only known-good communications to the published Web service, while negative logic filters block known bad connections.
Four types of connectivity are available with the IAG 2007 SSL VPN gateway. These include:
- Reverse Web proxy. IAG can act as a high security reverse Web proxy by employing application intelligence to remote connection to Web services
- Port Forwarder. For remote access to non-Web applications that require simple protocols using a single port, the IAG port forwarder allows clients to connect to network applications over the SSL VPN tunnel using the port forwarder
- Socket Forwarder. For remote access to more complex application that require multiple primary or secondary connections (such as Outlook MAPI/RPC), remote access clients can use the IAG socket forwarder. All protocols communicated over the socket forwarder is are also protected by SSL
- Network Connector. The Network Connector enables full network layer VPN access over the SSL VPN connection. This is useful for administrators who require unencumbered remote access to the network.
In addition to the SSL VPN gateway features, IAG 2007 also enables PPTP and L2TP/IPsec remote access VPN client access. This allows you to use IAG 2007 as your centralized remote access gateway, without having to split the management and monitoring of remote access connections to your network between several devices or types of devices.
The next version of the IAG, known as the Unified Access Gateway, will continue to build on the strong application layer intelligence included with IAG and will add more secure remote access options. The most interesting of these is support for Microsoft's new Direct Access remote connectivity option, which will enable users located anywhere in the world to transparently connect to the corporate network, including domain connectivity.
The major barrier to success for Direct Access is its dependency on IPv6. While there are advantages to IPv6, most networks are not architected to support IPv6 because there isn't a strong business case to switch over to IPv6. In addition, there isn't widespread understanding of IPv6, which makes it dangerous to implement on networks as it generates traffic that the majority of network administrators do not understand.
In order to mitigate the connectivity and security challenges introduced with Direct Access and IPv6, the UAG will employ NAT-PT (Network Address Translation - Protocol Translation). NAT-PT allow native IPv6 hosts and applications to communicate with native IPv4 hosts and applications and vice versa. This feature will make it much simpler, and more secure, to implement a Direct Access solution for tomorrows Windows 7 and Windows Server 2008 R2 networks.
In this article we covered the secure remote access options currently available to Microsoft networks. Some of these options have been available since early versions of Windows NT, while some would not be available until you've implemented Windows 7 and Windows Server 2008 R2. Each of them has its own advantages and disadvantages, and each of them provides a different level of security, for different types of remote access. Hopefully, after reading this article, you will have a better idea of the remote access options available to you and will be able to choose the one that looks like it will serve your needs best, so that you can then search for more information for that (those) solutions.